Security/Tizen 2.X Smack (Required Kernel Patches)

From Tizen Wiki
Jump to: navigation, search

Below is the list of required patches to smack since kernel 3.0 version. Commits marked in green are already in mainstream kernel. The rest of them is available in internal kernel repository.

commit 6c892df2686c5611979792aaa4ddea9ee9f18749
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Thu Oct 9 16:18:55 2014 -0700

    Smack: Lock mode for the floor and hat labels

    The lock access mode allows setting a read lock on a file
    for with the process has only read access. The floor label is
    defined to make it easy to have the basic system installed such
    that everyone can read it. Once there's a desire to read lock
    (rationally or otherwise) a floor file a rule needs to get set.
    This happens all the time, so make the floor label a little bit
    more special and allow everyone lock access, too. By implication,
    give processes with the hat label (hat can read everything)
    lock access as well. This reduces clutter in the Smack rule set.

    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit 1a5b472bde752783e0a31b59c61c9ff5b37a0983
Author: Rohit <rohit.kr@samsung.com>
Date:   Wed Oct 15 17:40:41 2014 +0530

    Security: smack: replace kzalloc with kmem_cache for inode_smack
    
    The patch use kmem_cache to allocate/free inode_smack since they are
    alloced in high volumes making it a perfect case for kmem_cache.
    
    As per analysis, 24 bytes of memory is wasted per allocation due
    to internal fragmentation. With kmem_cache, this can be avoided.
    
    Accounting of memory allocation is below :
     total       slack            net      count-alloc/free        caller
    Before (with kzalloc)
    1919872      719952          1919872      29998/0          new_inode_smack+0x14
    
    After (with kmem_cache)
    1201680          0           1201680      30042/0          new_inode_smack+0x18
    
    >From above data, we found that 719952 bytes(~700 KB) of memory is
    saved on allocation of 29998 smack inodes.

    Signed-off-by: Rohit <rohit.kr@samsung.com>
commit 	4d7cf4a1f49f76f4069114ee08be75cd68c37c5a
Author: Tomasz Stanislawski <t.stanislaws@samsung.com>
Date:   Tue Jun 11 14:55:13 2013 +0200

    security: smack: add a hash table to quicken smk_find_entry()
    
    Accepted for the smack-next tree after changing the number of
    slots from 128 to 16.
    
    This patch adds a hash table to quicken searching of a smack label by its name.
    
    Basically, the patch improves performance of SMACK initialization.  Parsing of
    rules involves translation from a string to a smack_known (aka label) entity
    which is done in smk_find_entry().
    
    The current implementation of the function iterates over a global list of
    smack_known resulting in O(N) complexity for smk_find_entry().  The total
    complexity of SMACK initialization becomes O(rules * labels).  Therefore it
    scales quadratically with a complexity of a system.
    
    Applying the patch reduced the complexity of smk_find_entry() to O(1) as long
    as number of label is in hundreds. If the number of labels is increased please
    update SMACK_HASH_SLOTS constant defined in security/smack/smack.h. Introducing
    the configuration of this constant with Kconfig or cmdline might be a good
    idea.
    
    The size of the hash table was adjusted experimentally.  The rule set used by
    TIZEN contains circa 17K rules for 500 labels.  The table above contains
    results of SMACK initialization using 'time smackctl apply' bash command.
    The 'Ref' is a kernel without this patch applied. The consecutive values
    refers to value of SMACK_HASH_SLOTS.  Every measurement was repeated three
    times to reduce noise.
    
         |  Ref  |   1   |   2   |   4   |   8   |   16  |   32  |   64  |  128  |  256  |  512
    --------------------------------------------------------------------------------------------
    Run1 | 1.156 | 1.096 | 0.883 | 0.764 | 0.692 | 0.667 | 0.649 | 0.633 | 0.634 | 0.629 | 0.620
    Run2 | 1.156 | 1.111 | 0.885 | 0.764 | 0.694 | 0.661 | 0.649 | 0.651 | 0.634 | 0.638 | 0.623
    Run3 | 1.160 | 1.107 | 0.886 | 0.764 | 0.694 | 0.671 | 0.661 | 0.638 | 0.631 | 0.624 | 0.638
    AVG  | 1.157 | 1.105 | 0.885 | 0.764 | 0.693 | 0.666 | 0.653 | 0.641 | 0.633 | 0.630 | 0.627
    
    Surprisingly, a single hlist is slightly faster than a double-linked list.
    The speed-up saturates near 64 slots.  Therefore I chose value 128 to provide
    some margin if more labels were used.
    It looks that IO becomes a new bottleneck.
    
    Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
commit eb67003c839b9c215f555ec7040789fd1d7526ed
Author: Tomasz Stanislawski <t.stanislaws@samsung.com>
Date:   Thu Jun 6 11:31:05 2013 +0200

    security: smack: add kmem_cache for smack_master_list allocations
    
    On ARM, sizeof(struct smack_master_list) == 12. Allocation by kmalloc() uses a
    32-byte-long chunk to allocate 12 bytes. Just ask ksize().  It means that 63%
    of memory is simply wasted for padding bytes.
    
    The problem is fixed in this patch by using kmem_cache. The cache allocates
    struct smack_master_list using 16-byte-long chunks according to ksize(). This
    reduces amount of used memory by 50%.
    
    Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
    Change-Id: Ic01e9a93c91fea65a30680ddbcaac563e81a9066
    Reviewed-on: http://slp-info.sec.samsung.net/gerrit/234690
    Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com>
    Tested-by: Kyungmin Park <kyungmin.park@samsung.com>
    Signed-off-by: Byungsoo Kim <bs1770.kim@samsung.com>
commit 9b4976f3fa51339f204783ad3f8cfd84cc1bf074
Author: Tomasz Stanislawski <t.stanislaws@samsung.com>
Date:   Thu Jun 6 11:17:21 2013 +0200

    security: smack: add kmem_cache for smack_rule allocations
    
    On ARM, sizeof(struct smack_rule)==20. Allocation by kmalloc() uses a
    32-byte-long chunk to allocate 20 bytes. Just ask ksize().  It means that 40%
    of memory is simply wasted for padding bytes.
    
    The problem is fixed in this patch by using kmem_cache. The cache allocates
    struct smack_rule using 24-byte-long chunks according to ksize(). This reduces
    amount of used memory by 25%.
    
    Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
    Change-Id: I672055d564a31278a4b3dc8aaff0aa494386c0b9
    Reviewed-on: http://slp-info.sec.samsung.net/gerrit/234689
    Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com>
    Tested-by: Kyungmin Park <kyungmin.park@samsung.com>
    Signed-off-by: Byungsoo Kim <bs1770.kim@samsung.com>
commit 372fe6ec157a586c6330ec6914c41e6e09447a9a
Author: Yang Yonghyun <alex.yang@samsung.com>
Date:   Fri Oct 17 16:38:10 2014 +0900

    [PATCH] Tizen: Smack: Apply Smack Ptrace patch
    
    If Smack ptrace option (/smack/ptrace) is enabled, subject and object Smack label must be same between tracer and tracee.
    Patch URL : https://patchwork.kernel.org/bundle/iceberg/Smack_ptrace/
    Patch Doc : https://gitorious.org/smack-next/kernel/source/smack-for-3.16:Documentation/security/Smack.txt#L207
    
    Change-Id: Iaba78e7b09bedf0d86796baa30eb68a26af52439
commit b5dfd8075bc26636d11c3d8888940198afbf5112
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Tue Oct 22 11:47:45 2013 -0700

    Smack: Ptrace access check mode
    
    When the ptrace security hooks were split the addition of
    a mode parameter was not taken advantage of in the Smack
    ptrace access check. This changes the access check from
    always looking for read and write access to using the
    passed mode. This will make use of /proc much happier.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit c0ab6e56dcb7ca9903d460247cb464e769ae6e77
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Fri Oct 11 18:06:39 2013 -0700

    Smack: Implement lock security mode
    
    Linux file locking does not follow the same rules
    as other mechanisms. Even though it is a write operation
    a process can set a read lock on files which it has open
    only for read access. Two programs with read access to
    a file can use read locks to communicate.
    
    This is not acceptable in a Mandatory Access Control
    environment. Smack treats setting a read lock as the
    write operation that it is. Unfortunately, many programs
    assume that setting a read lock is a read operation.
    These programs are unhappy in the Smack environment.
    
    This patch introduces a new access mode (lock) to address
    this problem. A process with lock access to a file can
    set a read lock. A process with write access to a file can
    set a read lock or a write lock. This prevents a situation
    where processes are granted write access just so they can
    set read locks.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit 10289b0f738e8b301969f2288c4942455f1b1e59
Author: Rafal Krypa <r.krypa@samsung.com>
Date:   Fri Aug 9 11:47:07 2013 +0200

    Smack: parse multiple rules per write to load2, up to PAGE_SIZE-1 bytes
    
    Smack interface for loading rules has always parsed only single rule from
    data written to it. This requires user program to call one write() per
    each rule it wants to load.
    This change makes it possible to write multiple rules, separated by new
    line character. Smack will load at most PAGE_SIZE-1 characters and properly
    return number of processed bytes. In case when user buffer is larger, it
    will be additionally truncated. All characters after last \n will not get
    parsed to avoid partial rule near input buffer boundary.
    
    Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
commit 6ea062475a9a2ea6e1394487fa0e51b3459957d1
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Mon Aug 5 13:21:22 2013 -0700

    Smack: IPv6 casting error fix for 3.11
    
    The original implementation of the Smack IPv6 port based
    local controls works most of the time using a sockaddr as
    a temporary variable, but not always as it overflows in
    some circumstances. The correct data is a sockaddr_in6.
    A struct sockaddr isn't as large as a struct sockaddr_in6.
    There would need to be casting one way or the other. This
    patch gets it the right way.
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Jinwoo nam <jwoo.nam@samsung.com>
commit 677264e8fb73ea35a508700e19ce76c527576d1c
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Fri Jun 28 13:47:07 2013 -0700

    Smack: network label match fix
    
    The Smack code that matches incoming CIPSO tags with Smack labels
    reaches through the NetLabel interfaces and compares the network
    data with the CIPSO header associated with a Smack label. This was
    done in a ill advised attempt to optimize performance. It works
    so long as the categories fit in a single capset, but this isn't
    always the case.
    
    This patch changes the Smack code to use the appropriate NetLabel
    interfaces to compare the incoming CIPSO header with the CIPSO
    header associated with a label. It will always match the CIPSO
    headers correctly.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit 470043ba995a79a274a5db306856975002a06f19
Author: Tomasz Stanislawski <t.stanislaws@samsung.com>
Date:   Thu Jun 6 09:30:50 2013 +0200

    security: smack: fix memleak in smk_write_rules_list()
    
    The smack_parsed_rule structure is allocated.  If a rule is successfully
    installed then the last reference to the object is lost.  This patch fixes this
    leak. Moreover smack_parsed_rule is allocated on stack because it no longer
    needed ofter smk_write_rules_list() is finished.
    
    Signed-off-by: Tomasz Stanislawski <t.stanislaws@samsung.com>
commit 0fcfee61d63b82c1eefb5b1a914240480f17d63f
Author: Passion,Zhao <passion.zhao@intel.com>
Date:   Mon Jun 3 11:42:24 2013 +0800

    Smack: Fix the bug smackcipso can't set CIPSO correctly
    
    Bug report: https://tizendev.org/bugs/browse/TDIS-3891
    
    The reason is userspace libsmack only use "smackfs/cipso2" long-label interface,
    but the code's logical is still for orginal fixed length label. Now update
    smack_cipso_apply() to support flexible label (<=256 including tailing '\0')
    
    There is also a bug in kernel/security/smack/smackfs.c:
    When smk_set_cipso() parsing the CIPSO setting from userspace, the offset of
    CIPSO level should be "strlen(label)+1" instead of "strlen(label)"
    
    Signed-off-by: Passion,Zhao <passion.zhao@intel.com>
commit 8cd77a0bd4b4a7d02c2a6926a69585d8088ee721
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Mon May 27 20:11:27 2013 +0900

    Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
    
    netlbl_secattr_catmap_alloc(GFP_ATOMIC) can return NULL.
    
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit e830b39412ca2bbedd7508243f21c04d57ad543c
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Wed May 22 18:43:07 2013 -0700

    Smack: Add smkfstransmute mount option
    
    Suppliment the smkfsroot mount option with another, smkfstransmute,
    that does the same thing but also marks the root inode as
    transmutting. This allows a freshly created filesystem to
    be mounted with a transmutting heirarchy.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit 2f823ff8bec03a1e6f9e11fd0c4d54e4c7d09532
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Wed May 22 18:43:03 2013 -0700

    Smack: Improve access check performance
    
    Each Smack label that the kernel has seen is added to a
    list of labels. The list of access rules for a given subject
    label hangs off of the label list entry for the label.
    This patch changes the structures that contain subject
    labels to point at the label list entry rather that the
    label itself. Doing so removes a label list lookup in
    smk_access() that was accounting for the largest single
    chunk of Smack overhead.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit c673944347edfd4362b10eea11ac384a582b1cf5
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Wed May 22 18:42:56 2013 -0700

    Smack: Local IPv6 port based controls
    
    Smack does not provide access controls on IPv6 communications.
    This patch introduces a mechanism for maintaining Smack lables
    for local IPv6 communications. It is based on labeling local ports.
    The behavior should be compatible with any future "real" IPv6
    support as it provides no interfaces for users to manipulate
    the labeling. Remote IPv6 connections use the ambient label
    the same way that unlabeled IPv4 packets are treated.
    
    Targeted for git://git.gitorious.org/smack-next/kernel.git
    
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
commit a5a68b6d56a51c1c75a50fe348bc1a86be1895ed
Author: Joong-Mock Shin <jmock.shin@samsung.com>
Date:   Fri Aug 8 20:24:13 2014 +0900

    TizenKiran: Initial commit for sc7727 bringup
    
    P4: 1718: //MAIN/Silver/SC77xx/kernel/
    changelist: 97910 (2014. 08. 08)
    
    Signed-off-by: Joong-Mock Shin <jmock.shin@samsung.com>